20
Security in the age of digital disruption An Australian and New Zealand perspective
Security in the age of digital disruptionAn Australian and New Zealand perspective
Foreword 3
Introduction 4
Investment in emerging technologies is on the rise 5
Organisation-wide approach to digital 6
Stepping up cybersecurity’s significance 7
Identifying cybersecurity attacks and threats 10
Cost of cybersecurity breaches 13
Getting on the front foot with cybersecurity services 14
Recommendations 18
About this report 19
Contents
Welcome to the new era of digital disruption. Today, CEOs and boards are constantly under pressure to ensure their organisations are both relevant and resilient in the face of rapid technological and social change.
The constant evolution of cybersecurity threats and shortage of cybersecurity skills – coupled with the introduction of the Australian Government’s Notifiable Data Breaches scheme and the EU’s General Data Protection Regulation – has made cybersecurity an organisational-wide challenge at the top of every business leader’s agenda.
It is against this backdrop that DXC Technology is pleased to contribute a new perspective on the challenge of security in the age of digital disruption and how Australian and New Zealand organisations can adopt best practice to thrive in this unprecedented time of change, all backed by independently produced research from Telsyte.
DXC Technology believes it is time to advocate a more holistic approach to digital transformation. Telsyte’s local research of more than 240 IT decision makers in Australian and New Zealand organisations shows organisations need an aligned digital transformation and security strategy.
With this I am pleased to introduce you to Security in the age of digital disruption. I hope the findings in this research study will help your organisation take on today’s security challenges and thrive now and in the future.
Seelan Nayagam Managing Director DXC Technology Australia & New Zealand
Foreword
Australian organisations are investing strongly in emerging technologies and digital business initiatives. A wave of digital transformation is aimed at modernising legacy systems and building new platforms to remain relevant in the face of increasing global competition.
Everything from the Internet of Things to big data analytics and artificial intelligence, are being applied for process improvement and new customer service options.
As these new technologies appear, so are new cybersecurity risks, which, if not managed prudently, can result in loss of revenue-generating capability and significant reputation damage.
DXC Technology commissioned Australian emerging technology research firm Telsyte to investigate how cybersecurity investments and strategies are keeping pace with wider digital agendas.
This report, Security in the age of digital disruption: An Australia and New Zealand perspective, presents the key findings of the research and how IT and business leaders across Australia and New Zealand can measure the cost of low or poor cybersecurity investments and the resulting impact on digital transformation programs.
Despite heavy investments in emerging technologies, organisations are still lagging when it comes to cybersecurity spending, and this lack of commitment poses a real business risk. IT and business leaders in the region must align their cybersecurity strategy and spending with emerging technology investments, to ensure digital transformation programs are executed with confidence.
With a solid investment strategy, cybersecurity will become an enabler of new business innovation.
Introduction
4
5
Investment in emerging technologies is on the rise
Organisations in Australia and New Zealand are now at the forefront of new technology adoption. Developments in various emerging technology areas, such as artificial intelligence (AI) and big data, have forced government agencies and businesses to adapt to the wave of digital disruption.
Digital-only businesses have also entered new markets outside the US and Asia, and local organisations are now forced to deal with their disruptive threats alongside traditional competitors. Investments in emerging technologies is a means to remain competitive and to gain an edge over industry laggards.
To quantify the uptake of emerging technology, and how cybersecurity investments are keeping up with the changes, Telsyte conducted a study of more than 200 ICT decision makers from Australia and New Zealand.
The research found at least one in three organisations across the region intend to adopt emerging technologies such as AI, cellular machine-to-machine (M2M) or big data and analytics, with New Zealand organisations having higher adoption intention overall.
What technologies are you planning to adopt? New Zealand (%) Australia (%)
Artificial intelligence 69 47
Cellular machine-to-machine (M2M) 44 36
Big Data and Data Analytics 46 33
Table 1. Examples of emerging technology adoption intentions in Australia and New Zealand
A high level of investment in emerging technologies is poised to support enterprise-wide digital strategies. More than 70 per cent of organisations surveyed have an organisation-wide digital strategy, which, according to Telsyte’s research is strategically important to prevent fragmented projects and a lack of intelligence on the success of digital spending.
Key Points
Balancing emerging technologies and security
• Investments in new technology is growing strong
• Any new technology or service brings risk
• Organisations must push ahead with digital transformation to remain relevant
• Agile organisations will mitigate risk as it appears
With new technology comes risk and prudent IT and business leaders will identify and mitigate risks during the adoption phase. In the case of big data, Telsyte identified a standard, organisation-wide approach as the fastest-growing challenge for CIOs. This challenge must be addressed for the company to be successful with an organisation-wide digital strategy.
Most organisations have digital strategies to improve legacy non-digital processes and explore new revenue opportunities. As digital became a business driver, individual business units developed their own business strategies to benefit their own interests, such as marketing, operations or customer service.
The challenge with a siloed approach to digital is a lack of an organisation-wide strategy to transform the entire business, not just one department. Telsyte research shows an organisation-wide approach is now overwhelmingly favoured by CIOs across Australia and New Zealand. Digital impacts the whole business and getting the highest return requires a holistic strategy.
6
Figure 1. An organisation-wide approach to digital is now seen as best practice.
No, but we are investigating
3%
Yes, organisation wide
72%
Yes, it varies across business units
25%
Q. Does your organisation have a digital strategy?
Telsyte Cybersecurity Study, 2019, n=243
Organisation-wide approach to digital
Figure 2. The cybersecurity challenge is not resulting in more investment.
Stepping up cybersecurity’s significance
Big investments in emerging technologies are advancing digital initiatives; however, cybersecurity spending is failing to keep up with this trend.
The study found organisations on average only spend 6 per cent of their digital budget on cybersecurity. This level of funding indicates cybersecurity is still an afterthought, despite many well-publicised breaches in recent years.
Furthermore, this alarming finding is at odds with the overall importance of cybersecurity as an IT challenge. Telsyte’s recent Digital Workplace study of 403 Australian ICT decision makers found cybersecurity ranked as the top IT challenge for organisations in 2018.
Cybersecurity issues affect all levels of the business, starting at the digital strategy level. Telsyte’s cybersecurity study found nearly one-third of organisations across Australia and New Zealand have had their digital strategy impacted by cybersecurity factors.
A lack of collaboration between digital teams and the technologies and processes used by cybersecurity teams is adding to the challenge. Having a limited scope for a whole-of-business cybersecurity strategy is equally to blame for an impact on the wider digital strategy.
On average, organisations only spend
6%of their digital budget on cybersecurity.
Q. What are your organisation's top IT challenges?
Key points
Security critical, but spending low
• Cybersecurity is seen as the top ICT challenge - but only 6% of digital budgets go to cybersecurity
• Lack of collaboration between security teams remains a challenge
• Emerging areas like cloud and big data leading to cybersecurity “gaps”
Source: Telsyte Australian Digital Workplace Study 2018, n–403
1. Cybersecurity 2. Keeping up with new technolgies
3. IT infrastructure management
4. Skills shortages or management
5. Managing service delivery
7
Q. Has your organisation's digital strategy been impacted by its cybersecurity?
Q. How has your organisation's digital strategy been impacted by its cybersecurity? (multiple choice)
Don't know
14%Yes
31%
No
55%
28%
28%
25%
24%
24%
24%
Technologies/Processes used by cybersecurity and digital teams
are not compatible
Cybersecurity strategy is limited in scope
Cybersecurity personnel are not familiar with digital strategy implementation
Cybersecurity team is siloed from digital strategy team
Cybersecurity strategy development is not aligned to digital strategy
Not sure
Figure 3: How cybersecurity is impacting digital strategy.
Telsyte Cybersecurity Study, 2019, n=243
n=109, Base: Orgs that have digital strategy impacted by cybersecurity strategy
8
Adding to the concern is that 14 per cent of IT leaders are not aware if digital strategies are being impacted by cybersecurity. On the security professional side, the research found 25 per cent are not familiar with digital strategy implementation. With nearly one quarter (24%) of cybersecurity teams siloed from the digital strategy team, and the same rate of organisations with no alignment between the two strategies, there is a significant disconnect between security and digital.
The lack of investment and collaboration between cybersecurity and digital strategy has led to organisations identifying cybersecurity “gaps” among the different technologies adopted. 74 per cent of New Zealand, and 89 per cent of Australian organisations reported that some of their technologies have cybersecurity "gaps".
These kinds of cybersecurity challenges can impact almost all emerging technologies and their applications.
Cloud-based services top the list with 43 per cent of Australia and New Zealand organisations identifying related cybersecurity challenges, followed by other emerging technologies like IoT, big data, machine learning and AI.
IT and business leaders who bridge these "gaps" from the start will enable more applications of emerging technology, without the associated risk.
Figure 4: Emerging technologies producing cybersecurity gaps.
Q. Which of the following does your organisation see having cybersecurity challenges or "gaps" with interactions of different systems?
Total of those that face cybersecurity challenges or gaps
Cloud computing
Internet of Things
Big Data and Data Analytics
Chatbots
Machine learning/deep learning
Artificial Intelligence
Augmented Reality (AR)/Virtual Reality (VR)
Cellular machine-to-machine (M2M)
Cognitive computing
Blockchain
Robotic Process Automation
Biometrics
87%43%
32%24%24%
22%21%19%
15%15%
12%10%
9%Telsyte Cybersecurity Study, 2019, n=243
9
A disparity between cybersecurity, digital strategies and investments will not stop the relentless pace of attacks and breaches.
The prevalence of cybersecurity attacks continues to grow and emerging technologies are not immune to the problem. The research found more than one in five organisations have experienced at least one breach per month across key emerging technologies.
Identifying cybersecurity attacks and threats
Cloud Computing
29%Block Chain
25%
Internet of Things
27%Artificial Intelligence
21%
Big Data and Analytics
28%
Figure 5. The alarming rate of cyber breaches relating to emerging technologies.
Experience breaches at least once per month.
The high rate of breaches across various emerging technologies indicates a need for a more proactive approach to cybersecurity, as opposed to a reactive one.
This need is underscored by the alarming amount of attacks which are successful. Telsyte’s research shows that one in six known cybersecurity attacks are successful and the rate is even higher for organisations which have had security breaches, where 26 per cent claim the breaches were successful.
CIOs must identify the potential exposure emerging technologies bring and align their teams and funding to meet the challenges. Waiting for a public breach to drive change is simply too risky.
10
Telsyte Cybersecurity & Privacy Study, 2018, n=243, base: total respondents
1 in 5organisations have at least one breach per month
Key Points
Cybersecurity attacks continue unabated
• Cybersecurity attacks continue and emerging technologies is not immune
• 20% of Australia and New Zealand organisations have experienced at least one breach across key emerging technologies
• One quarter of breaches are successful and one-third of attacks have no discernible pattern to them
• Waiting for a breach to drive change is too risky
The success of cybersecurity attacks can be attributed to their diverse nature. Telsyte’s study found more than one-third of cyber attacks have no discernible pattern and 28 per cent occur after work hours in Australia, indicating their global nature.
Well-aligned digital and cybersecurity strategies must prepare for non-stop attacks outside traditional operating hours. An e-commerce initiative will face cyber attacks well after the shop doors have closed for the day.
The research also investigated trends in the type of threats organisations face. Telsyte’s cybersecurity study found almost half of all Australia and New Zealand organisations have been exposed to a cyber attack in the form of malware and malicious emails during the past 12 months.
Figure 7. The diverse nature of cyber attacks know no limits.
Figure 6. The alarming rate of successful security breaches.
Q. What are the patterns of the attack?
Of organisations that have had security breaches (excluding none),
26%claim they are successful
11
1 in 6 known attacks are
SUCCESSFUL
Less than 20%
36%
>60%
3%None
37% 40%–60%
15%
20%–40%
9%
Telsyte Cybersecurity Study, 2019, n=243
26%
No discernible pattern
After work hours in Australia
Every time we update software
On weekends
On a Public Holiday
During work hours in Australia
Don't know/Not sure
37%
Telsyte Cybersecurity Study, 2019, n=243
Q. Approximately, what proportion of attempts have successfully breached your organisation's security?
18%
13%
10%
13%
14%
Cybersecurity attacks of high frequency, unpredictable nature and varied forms, can cost an organisation significantly in productivity, reputation, time and financial loss. To quantify the problem, the research estimated an average loss of $60 million due to cybersecurity breaches. Moreover, only 40 per cent of organisations measure the financial cost of cybersecurity attacks, indicating the average cost might be much higher.
Figure 8. The diverse nature of ongoing cyber attacks.
12
Q. Which of the following types of cyber-attacks incidents did your organisation experience in the last 12 months?
Malicious email
Malware
Spyware
Spear phishing
Ad-Fraud
Ransomware
Spambot
Scanning or brute force
Cryptocurrency Miner
Distributed Denial of Service
Application borne attack
Keylogger
Stolen credentials
Botnet attack
Social engineering
42%40%
24%22%
14%13%13%13%
12%12%
10%10%10%
8%7% Telsyte Cybersecurity Study, 2019, n=243, Multiple Choice
Figure 9: The huge cost of cybersecurity breaches.
Q. Approximately how much did cybersecurity breaches or attacks cost your organisation financially in the last 12 months?
Telsyte Cybersecurity Study, 2019, n=140, Base: the average from organisations surveyed and experienced losses, and have systems to measure losses (min 50 employees)
• On an average, each adopted technology used by organisations is attacked at least once a month
• Only 40% of organisations measure the financial cost of cybersecurity attacks
• Of those, only 20% claimed they have not lost any revenue due to attacks, with another 19% not knowing
>$500M
6%$100M–$499M
7%
$50M–$99M
8%
$20M–$49M
9%
$6M–$19M
14%
Less than $5M
56%
Average annualmeasured loss:
$60M
13
Cost of cybersecurity breaches
With cybersecurity challenges so prevalent and diverse, organisations are struggling to keep on top of the threats. The research shows the clear mismatch between new digital projects and spending, and this lack of alignment can lead to basic operational challenges like failing to defend against network service attacks.
There is a growing opportunity for local organisations to engage with a specialist cybersecurity provider to enable more capability and proactive mitigation.
The study found one-third of respondents are investigating using a cybersecurity outsourcing provider, with 10 per cent of the market still unsure.
Getting on the front foot with cybersecurity services
Figure 10. The strong intention to use a cybersecurity outsourcing provider technologies.
Q. Which of the following best represents your organisation when it comes to outsourcing cybersecurity?
Telsyte Cybersecurity Study, 2019, n=243
Don't know/not sure
10%
We have an outsourced provider that manages our cybersecurtiy
29%
We do not have an outsourced
provider, and do not intend to use one
28%
We do not have an outsourced
provider, but intend to use one
33%
Key points:
Help fight the battle with a cybersecurity partner
• Organisations are struggling to keep on top of cyber threats
• There are many options for cybersecurity services to help manage risk
• More than 30% of IT leaders are investigating a cybersecurity outsourcing provider
• Compatible cybersecurity frameworks among providers help overcome integration challenges
The rise of cloud-based security services has resulted in many options for enterprises to engage with a third-party for cybersecurity support.
According to Telsyte’s research, among organisations that have outsourced their cybersecurity, almost half are engaging third-parties for security monitoring. Nearly 40 per cent outsource incident response.
IT and business leaders can get support with everything from denial of service prevention to identity management. Taking more operational tasks away from in-house staff will lead to better strategic alignment between cybersecurity and digital transformation activities.
14
The range of cybersecurity services that can be outsourced is quite extensive; however, often challenges getting outsourcers to work together to deliver a comprehensive security service remain.
Figure 11: A range of cybersecurity requirements can be outsourced to specialist providers.
Telsyte Cybersecurity Study, 2019, n=96, base: Those that have an outsourced provider that manages their cybersecurity
Telsyte Cybersecurity Study, 2019, n=96, Base: Those that outsource cybersecurity
Q. What parts of your organisation's cybersecurity capabilities are currently outsourced to third parties?
Security monitoring
Incident response
Network perimeter management
Cloud security management
Identity and access management
Endpoint solution management
Email and web security management
Denial of service control
49%39%
35%
30%
33%31%
25%21%
Figure 12: The challenge of incompatible cybersecurity frameworks.
Q. Do your multiple separate outsourcers have compatible security frameworks that work together?
Yes, all of them are compatible
44%
Yes, but only some of them are
compatible
30%
Don't know/not sure
22%Some of them do not
have any security frameworks
2%All of them are not
compatible
2%
15
Figure 13: Organisations must also work towards compatible frameworks with suppliers.
Q. Is your organisation's security framework and your outsourcer's framework compatible, or do they work together?
Implementing compatible cybersecurity frameworks among separate outsourced service providers can go a long way to overcoming these challenges.
Telsyte’s cybersecurity study found one in three organisations with multiple outsourcing providers have suppliers that are not compatible with each other in terms of a security framework.
Adding to the challenge is nearly 25 per cent of respondents do not know, or are unsure, if their outsourcers have compatible security frameworks. This lack of knowledge limits the organisation’s ability to assess how well the security service providers are performing. This compatibility problem also extends to between the organisation and the service provider.
Telsyte’s research found that among organisations whose outsourcers have a security framework, almost 32 per cent are only partially compatible with their outsourcer at best. A further 13 per cent are unsure about framework compatibility.
Not compatible
2%
Don't know/not sure
13%
Partial
30%
Fully compatible
55%
Telsyte Cybersecurity Study, 2019, n=84, Base: Those whose outsourcer have a security framework
16
Figure 14: Engage with a provider which has a comprehensive cybersecurity framework.
Q. Do your organisation's outsourcers have a security framework?
CIOs should investigate rationalising their cybersecurity providers to limit framework compatibility issues and gain consolidated threat detection and risk mitigation strategies.
These compatibility issues can be avoided by engaging with a cybersecurity service provider that can deliver a comprehensive service, including any existing requirements. The closer you can align frameworks from the start, the more time you will save time and resources in liaising between multiple providers to come to an agreed cybersecurity framework. Furthermore, a comprehensive outsourcer is more likely to apply the same cybersecurity framework across all its services, making management and reporting for cybersecurity services easier.
The study found that 69 per cent of cybersecurity outsource service providers engaged by organisations across Australia and New Zealand have a security framework.
Telsyte Cybersecurity Study, 2019, n=96, Base: Those that outsource
17
Yes
69%
Don't know
18%
No
13%
To ensure organisations across Australia and New Zealand can innovate with confidence, Telsyte research found a number of recommendations:
• Balance cybersecurity spending. Organisations in Australia and New Zealand are investing in emerging technologies to support digital transformation programs. This trend is positive; however, cybersecurity spending must reflect these investments and not be viewed as an afterthought.
• Bridge cybersecurity and digital teams. With nearly one quarter of cybersecurity teams siloed from the digital strategy team, it is time for more collaboration to curb emerging risks. Australia and New Zealand' organisations also need more alignment between the two strategies in general.
• Identify capability gaps. Lack of investment and collaboration between cybersecurity and digital has led to many cybersecurity “gaps”. It is important to identify where the organisation is exposed among the different emerging technologies being adopted.
• Be prepared for emerging threats. Organisations are already experiencing a high rate of breaches
Recommendations
18
across various emerging technologies. This indicates a need for a more proactive approach to cybersecurity, as opposed to a reactive one. Attackers will not wait for you to catch up on a new vulnerability.
• Investigate cybersecurity services. CIOs do not need to take on the expanding burden of cybersecurity services in-house. There are many options for outsourcing cybersecurity tasks across a number of applications. Outsourcing cybersecurity helps in-house staff be more strategic with digital initiatives.
• Avoid incompatible security frameworks. Telsyte’s research found one-in-three organisations with multiple outsourcing providers have suppliers with incompatible security frameworks. Align frameworks from the start to limit time liaising between multiple providers to arrive at an agreed cybersecurity framework.
IT and business leaders across Australia and New Zealand are faced with many challenges managing emerging technology adoption with the need for better cybersecurity. Taking a collaborative approach with cybersecurity and digital, combined with the prudent use of service providers, will position organisations to be more innovative and resilient.
About this report
In preparing this report, Telsyte used the results of an online survey of 243 IT decision makers across Australian and New Zealand organisations with greater than 50 employees.
Sampling was conducted to reflect the largest organisations in Australia and New Zealand, with 77% of respondents coming from organisations with greater than 200 employees.
The respondent was required to have a strong understanding of their organisation’s IT cybersecurity policies and processes, and was not limited to just the CIO or IT department. The survey took around 25 minutes to complete.
The survey had a confidence interval of +/-6.23 at a confidence level of 95%. Interviews were conducted via an online survey completed by respondents on computers, tablets and smartphones.
19
Learn more at www.dxc.technology/au/security
www.dxc.technology/au
About DXC Technology
DXC Technology (DXC: NYSE) is the world's leading independent, end-to-end IT services company, serving nearly 6,000 private and public-sector clients from a diverse array of industries across 70 countries. The company's technology independence, global talent and extensive partner network deliver transformative digital offerings and solutions that help clients harness the power of innovation to thrive on change. DXC Technology is recognised among the best corporate citizens globally. For more information, visit dxc.technology.
© 2018 DXC Technology Company. All rights reserved. MD_8777a-19. August 2018
About Telsyte
Telsyte is Australia’s leading emerging technology analyst firm. Telsyte analysts deliver market research, insights and advisory into enterprise and consumer technologies. Telsyte is an independent business unit of DXC Technology.
Visit www.telsyte.com.au for more information.
